Make Sure You're HIPAA Compliant Before You Have to Prove It

Shane Whitlatch, Executive Vice President, FairWarning

NOVEMBER 21, 2018

HIPAA compliance is critical for all healthcare stakeholders. Image has been altered. Licensed from vege - stock.adobe.com.

Phase 2 of the Office of Civil Rights (OCR) Health Insurance Portability and Accountability (HIPAA) Audit Program gives healthcare providers 10 days to prepare. Phase 3’s on-site audits give you no time to prepare; auditors show up without warning to review how well you are complying with HIPAA policies and practices. And even if you aren’t chosen for a random HIPAA audit, you can still face penalties for noncompliance if you experience a patient complaint or a breach.

Taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid compliance headaches that are costly and time-consuming. In other words, the best time to prepare for an audit is before you’re in one.

Phases of HIPAA Compliance

For Phase 2 of the Audit Program, both covered entities and business associates had to meet selected standards and implementation specifications under HIPAA’s Privacy, Security and Breach Notification Rules. The HHS’s Official Audit Protocol was updated in July 2018. In addition, the aforementioned Phase 3 audits are the compliance equivalent of an on-site pop quiz.

Because the data security landscape has become so complex and fluid, compliance regulations will become more stringent. But rather than dreading an OCR audit, care providers can approach the prospect of an audit as a foundation for making the best choices when adopting new tools, technologies, personnel and workflows.

Typical HIPAA Issues to Look For

HIPAA defines a breach as the acquisition, access, use or disclosure of unsecured protected health information (PHI) in a manner not permitted by HIPAA. This activity must pose a significant risk of harm to the affected individual, whether it’s financial, reputational or other damages. Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals if unsecured PHI is breached.
The HIPAA violations that result in the largest fines are:

Third-party disclosure of PHI

Improper disposal of PHI

Mishandling of medical records

Employees disclosing information

Database breaches

Lost or stolen devices

Failure to perform an organization-wide risk analysis

Employees legally accessing patient files

Lack of training

Failure to encrypt PHI on portable devices

These are just the violations that cost the most. In addition, many other events can result in a HIPAA violation or breach, and therefore fines and settlements — including drug diversion, cybersecurity attacks, insider threats, fraud and identity theft.

Typical HIPAA Violations

HIPAA audits have both a bark and a bite. Since the regulation went into effect in 2003, the OCR has discovered 56 Privacy Rule violations and handed out close to $100 million in fines. And as of 2018, the OCR has received more than 184,000 HIPAA complaints and initiated more than 902 compliance reviews.
The compliance issues most often investigated by the OCR are, in order of frequency:

Impermissible uses and disclosures of PHI

Lack of PHI safeguards

Lack of PHI patient access

Lack of administrative safeguards of ePHI

Use or disclosure of more than the minimum necessary PHI

The covered entities that most often violate HIPAA are general hospitals, health plans, outpatient facilities, private practices and physicians, and pharmacies. More than 37,670 complaints were investigated by the HHS as of July 2018, 69 percent of which have received corrective action.

Ready at Any Moment

You may receive an audit letter — or auditors may just show up at your doorstep one day. Either way, if you’re following HIPAA’s requirements, there is no need to worry. Below are eight recommendations for staying proactively prepared for an OCR audit.

1. Monitor PHI to Protect It

HIPAA stipulates that covered entities and business associates must ensure the confidentiality, integrity and availability of all electronic PHI (ePHI). In addition, electronic systems holding ePHI must allow access to those persons who have been granted access rights.
A best practice is to monitor all systems holding ePHI, including electronic health records (EHRs), cloud applications and mobile devices. By monitoring with a full lifecycle platform, they can detect, investigate, mitigate and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.

2. Identify High-Risk Assets

Covered entities must make the necessary policies and procedures for a privacy and compliance program that adheres to the final Breach Notification Rule. To do so, identify your high-risk assets and ensure that your risk analysis of these assets is current. These should include both technical and non-technical assets that are business-critical.

3. Implement HIPAA Compliance Policies and Procedures

Data are highly valuable to the good guys and the bad guys alike — even if the “bad” guys are well-meaning but uninformed employees. Unless there are proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent.

4. Do a Risk Assessment

You are required to conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their Security Risk Assessment Tool to guide organizations through the compliance process.

5. Deploy Identity Correlation

Organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications. This is important, as FairWarning sampled 1 million users of EHRs and cloud applications and found that 26 percent were poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation.

6. Continue Employee Training

Fifty-eight percent of healthcare breaches involve insiders. To make sure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through an learning management system program.

7. Keep Business Associate Agreements

Covered entities and vendors are both required to create, receive and transmit PHI in a secure and intended manner. Therefore, it is a critical best practice to enter into business associate agreements (BAAs) with any vendors handling PHI. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.

8. Develop an IRP

An incident response plan (IRP) helps your organization contain security incidents that would otherwise become breaches requiring regulatory involvement. The HIPAA Security Rule requires covered entities to have IRPs. The HHS provides a free Incident Response Plan template to help organizations handle incidents with more agility. Once created, an IRP requires frequent evaluation and changes as the organization naturally evolves.

Moving Forward

When you have policies and procedures in place to remain compliant, an OCR audit won’t strike fear into your heart. You’ll have confidence knowing you’ve done everything necessary to keep your data and that of your patients private and secure. You’ll also be laying the groundwork that will keep you prepared for new regulations and new technology.

Shane Whitlatch works with FairWarning’s largest and most sophisticated customers in order to ensure these customers get the greatest value possible from their solutions. Shane also plays a major role in alliance development.

Inside Digital Health™ delivers the information that healthcare decision makers and physicians need to confidently navigate the digital transformation. We bring you compelling stories about the institutions and individuals who are fomenting positive change — so you can join them in leveraging the tools of healthcare technology and leading the noble quest toward improving patient care and eliminating healthcare waste.